Lawmakers Question Companies Regarding Cybersecurity Risks
Senate Committee hearing highlights cybersecurity challenges facing companies, and serves as a warning regarding the need to be prepared.
A hearing conducted by the United States Senate Committee on Commerce, Science, and Transportation last week should be a wake-up call to companies and organizations regarding cybersecurity threats. Given the sophistication and the pervasiveness of cyberattacks, it is imperative for companies and other organizations to have processes in place for dealing with suspected cybersecurity incidents. Companies should be familiar with the regulatory requirements for their industry with respect to cybersecurity and ensure that they are in compliance. Because of the likelihood that it is not a question of if but rather when a company will be hacked, it is critically important for companies, local and state agencies, and other institutions to be proactive prior to being confronted with a potential incident and have a response protocol in place.
Last Wednesday, November 8, executives from Yahoo and Equifax testified on Capitol Hill before the Senate Commerce Committee, and fielded questions from lawmakers focused on efforts to protect consumers from data breaches and other cybersecurity risks.
Yahoo and Equifax have both been the victims of large-scale cybersecurity breaches in the past few years. Yahoo was the victim of cyberattacks in August 2013 and in 2014 that affected all three billion of its user accounts. Equifax was hit with a high-profile attack in September of this year, in which the sensitive personal information of approximately 145 million Americans—roughly 60% of American adults—was compromised.
Executives from both companies noted that even the most well-defended companies are not immune to cyberattacks, which are continually becoming more sophisticated and rampant. This is especially true, the executives said, when the attacks are coming from state-sponsored actors. The federal government has stated that the 2014 hack of Yahoo was committed by Russian operatives, and the Department of Justice has arrested several Russian agents who were allegedly involved.
Marissa Mayer, Yahoo’s former CEO, and Karen Zacharia, the deputy general counsel and chief privacy officer for Verizon Communications, Inc., which acquired Yahoo earlier this year, both testified that government involvement was required to increase cybersecurity. Zacharia also advocated for the passage of national data security legislation.
Some lawmakers seemed skeptical, however, grilling the executives about what measures their companies have taken since the breaches to improve security, and asking about the processes in place for notifying affected consumers. Senator Ed Markey (D-MA) also questioned Zacharia’s professed commitment to national legislation, noting that Verizon had been “instrumental” in supporting the repeal of the Federal Communication Commission’s internet privacy rules earlier this year.
When former Equifax CEO Richard Smith claimed that Equifax was the victim of a criminal attack, Senator Bill Nelson (D-FL) responded that “Equifax is not the victim. It’s the poor customers of Equifax.” Nelson also advocated an “attitude change” by companies, saying that “we’ve got to go to extreme limits to protect our customers’ privacy.” Nelson further suggested that stiffer enforcement and more stringent penalties for companies would provide the necessary incentive to protect consumer information and to notify consumers of cybersecurity breaches.
It is clear not only that cybersecurity risks are real and immediate, but also that companies and organizations will be held responsible for not being prepared and proactive in confronting those risks. There are many relatively simple steps that your organization should take to increase your preparedness for a cybersecurity incident. Having a written incident response policy and response team in place, knowing the advantages of involving legal counsel at an early stage, knowing when to contact a forensics expert, and knowing when and how to involve law enforcement are paramount to an effective response to a cybersecurity incident. Regulations, which may vary across jurisdictions and industries, have specific requirements for notification and involving law enforcement. Having a plan to meet your regulatory obligations and also handle public relations in the event of an incident will help minimize any damage to your organization.
In order to have a robust incident response policy, it is necessary to conduct table top exercises with the response team and trainings for staff to deal with the “human factor” of cybersecurity risks. And of course, addressing your insurance exposure ahead of time can provide financial protection for unexpected and unforeseen losses. The bottom line is to get ahead of this likely problem rather than allow lawmakers’ frustrations to result in tougher enforcement and more expensive consequences.